Malware Turns to DNS and Steganography to Hide C&C Communications

Dr. Chris Dietrich from Crowdstrike and Pierre-Marc Bureau from Dell SecureWorks have identified a trend in malware campaigns where operators resort to the DNS protocol and steganography to manage botnet communications.

Steganography is the science of concealing data in plain sight, usually inside the hidden bits of an image. It the world of online security, it has been used before, but usually in solitary infections and for trivial purposes.

During the past year or so, various security vendors have started noticing more and more cyber-groups employ malicious images in relaying information to and from their infected targets.
Steganography, an emerging trend in malware design

After analyzing a few malware campaigns, Dietrich and Bureau, are now confirming that steganography has become quite a standard practice for some cyber-groups.

They name here the Lurk and the Gozi Neverquest malware families, and the Stegoloader information stealer.

The Lurk malware works by downloading ordinary BPM images, from where it extracts a URL from where another malware is fetched, that is then used to perform click fraud.

Gozi, used mainly for financial fraud, uses steganography as a backup method for downloading configuration files, in case network setups block its normal operations. In Gozi’s case, the malicious code is hidden in favicon files hosted on the Tor network.

Stegoloader, who appeared this year, is more bold when using steganography. This infostealer relies on the technique to store its entire main module inside a PNG image, which it downloads only after it deems a computer safe to infect.
Communication via the DNS protocol

We’ve seen many botnets employ HTTP or HTTPS as their communications protocol. While HTTPS is more efficient, it is also easy to spot and then stop by security tools.

In their quest for discovering new ways of ensuring a clear and undisturbed communications channel between infected hosts and the command and control (C2 or C&C) servers, many malware operators have started looking towards DNS.

Messages exchanged this way mimic DNS packages, so they fool regular traffic monitoring systems, but in fact, the data inside them is encoded and holds important details about the malware’s operations. Two malware families have been seen using this technique: Feederbot and PlugX.

“All in all, these examples show that hidden communication channels have arrived in today’s world of digital crime,” conclude the two researchers in their paper. “However, hidden communication channels are not a panacea. There is a lot of room for design errors when implemented from scratch and they need to be used in conjunction with other technologies such as cryptography to guarantee integrity, confidentiality and authenticity.”